I downloaded the files from the links you put in your reply email. I downloaded the iso file both with qbittorrent and from the link https://www.debian.org/download where there are links for the integrity check (https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA512SUMS) and for the authenticity check (https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA512SUMS.sign).
The content of these links, seen now, is the following: cb089def0684fd93c9c2fbe45fd16ecc809c949a6fd0c91ee199faefe7d4b82b64658a264a13109d59f1a40ac3080be2f7bd3d8bf3e9cdf509add6d72576a79b debian-12.10.0-amd64-netinst.iso 71d4c4e2ea7b617362875a74eb007308ae577ebe4b02ffeb626f1d12eaf412567d1d1816dbdbbb84cfaa38a205c13abf317ec227e5b2df9c982979698909889c debian-edu-12.10.0-amd64-netinst.iso 269e64d2a379429905cf95191036cc53fdc148c624af68386d3a238f5fe2c5b03e3732706eaac175303b1fe327f691dc50faf8d65665781d6bcbbabf072559fa debian-mac-12.10.0-amd64-netinst.iso -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE35ucSeqpKYQyWJ122ofoDWKUvpsFAmfV5AQACgkQ2ofoDWKU vptrSw//YkAl5rHx0dM61aeErsbzdrf1dzVPEzQfat9SeEpCm8z9Ky5jKknQtQc/ j8pDk8lxrDtcuSpoAtdeIue5j4r9g73s252THVA/JSVqy3DHAw3bC+KWKkcW38ct wFyEifjRPrpoogt+I1FjRRye+J66pYbKj1fC1jJ9QmsEJ9/OaeceFiMAn4wORYPi BJDDpU8mX9MM6+1DTftFcoo++THeIogcrj1RTbk2RVYjVayOdZn9vcjQixAcn3fW NSPJyeuaCFRmNppNh29tVxikGV3dFazrhyCs0tg9/80O+K+J0k6GiXpBE3jWjK2s ly6GPUWzzNLsxMNPYoQ1nQ5PH5IQCYA8Yd38eL7KeN+A2k0Wwb5K/7kAIDgvbNYK zgd940jhLjP1c4TTZMeJoOdhLXxw2ZbsPCyhSVMdeCJJOK6kR65qkBNAZTlpnuYa bhzwQlpZIgFT6Yxxbb70ONAn3UuY/2w6CSzkX6aD4Mi30bx5kP/6uN8pfS0asRRQ a0wjc0+nSlcF2gIRdLeB2hV4V7q78nSEyMY8NWQMttIwowojuqUE/M+GpE15P87m VyWM1m7IEXhgczZxNJqnOfI0HEflfEqpGz9Vku6QNr0yudxTENjvM6+vmHo8yXF9 zDq6Jh7ZR+r1QAVY7+1dksC9ifa2rBdqMbgdALD2iUXuU0VMzl8= =kdXj -----END PGP SIGNATURE----- Do you see the same thing? PA ________________________________ Da: Thomas Schmitt Inviato: Venerdì, 28 Marzo, 2025 14:42 A: debian-user@lists.debian.org Cc: pierantonio.corrad...@gmail.com Oggetto: Re: Help: debian-12.10.0-amd64-netinst.iso autenticity test Hi, Pier Antonio Corradini wrote: > 3D0BA303805111F651A88D96FC64867FFC678E43F3756F5F91B24A810D91015E459... > C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP\SHA512SUMS.txt I get 36bf1f16bc4b9795122b7b3542a32f34c3be0ef294ff3a8bf43232df6554b69b569fe15d93c79ee48a47902e1a6ad87ca9966988cd4bf9db684f7dd7eda7813a from sha512sum SHA512SUMS So your SHA512SUMS.txt has not the same as my SHA512SUMS download of yesterday. > 58B5434926A9E5F7BA27FA32CD19B4379658945646549D6ACD3EC9A9368FFFACDAC... > C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP\SHA512SUMS.sign I get 0095bd988c97a7bd0400704ffd3d0fe64a33057b5eaed7530973fac4e039cc366bc5c144413cdb48a591fa5a5d9bd8240721d797964ca453b5981d90ed8e1a13 from sha512sum SHA512SUMS.sign So our respective files with name SHA512SUMS.sign differ by content, too. We now know that local processing, downloading or malicious activities altered the signature file and the SHA512SUMS file. Malice would have to be suspected if the listed checksums in your file SHA512SUMS.txt would differ from those in my downloaded copy. My downloaded SHA512SUMS file has this content: ----------------------------------------------------------------------- e0bd9ba03084a6fd42413b425a2d20e3731678a31fe5fb2cc84f79332129afca2ad4ec897b4224d6a833afaf28a5d938b0fe5d680983182944162c6825b135ce debian-12.7.0-amd64-netinst.iso 915ab697472fd9a25a6b7b5d4988ee659fed61cd6dc6cd990435971af5894fca82426f213913fd95cce04de8d10e0ee709023b677d02d5c48062208ff5ab3112 debian-edu-12.7.0-amd64-netinst.iso d9480c2d765f3b1ebe8e7d06b1cf6ecf30b95146d5c2036f20904957db6139a440f9f8e7f4f901da6a02f810f2b3ab660aea56d99778c647c62386a2082c9407 debian-mac-12.7.0-amd64-netinst.iso ----------------------------------------------------------------------- So what does your SHA512.txt say ? ======================================================================= Not of importance for the problem any more. Just for understanding: Pier Antonio Corradini wrote: > > > gpg: Firma effettuata 03/15/25 21:33:08 ora solare Europa occidentale > > > gpg: utilizzando la chiave RSA > > > DF9B9C49EAA9298432589D76DA87E80D6294BE9B I wrote: > > Did this second-step run succeed ? > > It seems that the decisive message line is missing. Pier Antonio Corradini wrote: > What message? Something like gpg: Firma BAD da "Debian CD signing key <debian...@lists.debian.org>" or gpg: Firma Good da "Debian CD signing key <debian...@lists.debian.org>" or whatever your gpg --verify says about matching signature. Whatever, we now know that the files SHA512SUMS.txt and SHA512SUMS.sign are altered, which explains why they do not match. ======================================================================= Have a nice day :) Thomas
